I wonder how effective it would be to simply put a list of sites in the HOSTS file and redirect them to a bogus (or LOCALHOST) address? Or run your own internal forwarding address DNS server at your site that does specific bogus static addresses for the Windows update site list?

Why not just use a firewall (implemented as either software or hardware), since using the hosts file, proxies, or routing things thru a VM isn't near-bulletproof? I really can't think of any other method to fully prevent an app from either sending or receiving data from the Internet. It also must be considered that a firewall can prevend inbound/outbound access, but it can't prevent the app from sending requests for data or waiting to receive data. I use such a strategy on all my Android devices to prevent apps from Net access. It must be tackled both ways. Fortunating rooting Android is usually easy and opens up all kinds of possibilities for preventing inbound/outbound Net access, as well as preventing apps themselves from making requests or waiting for them. The latter can be accomplished by limiting/disabling/killing certain services/receivers/etc that these apps use, as well as editing the app's properties directly by modifying its' APK and data files.

To me, there are plenty of different ways to restrict/filter your internet connection.

Some will want it easy, some other will want it advanced.

And there already, there will be lots of debates on what is easy or not : perspective...

Also, when it comes to firewall, the default behavior is usually to trust outbound access (you trust what is inside) and restrict inbound access (evil is out there).

In our particular case (windows 10 & untrusted software), the evil is inside : rather than containing the evil, best would actually be to get rid of it, but this is another, probably passionate, discussion

My saying here is that, apart from monitoring in real time what goes out and adapt your firewall every now and then, trying to block outbound access on a windows platform is quite some effort, if not mission impossible.

Last, we may want to look at how profesionals secure their network.

My humble experience showed me that usually there is no direct internet connection.

The internet is usually proxified : only http/https is allowed.

This is very restrictive and users tend to moan about it but if it works for major companies out there, why not follow the same line at the individual level?

My guess is that individuals actually dont want to put up with restrictions.